Dave Bittner (13:30)

If you would have asked me that question 20 years ago, I might have said based on the things that I'm seeing, this is what I'm concerned about. The uniqueness of today is everybody sees them. This is no longer an academic exercise. This is not a philosophical conversation of what could happen or what might happen if a sophisticated adversary started looking at our, let's say our critical infrastructure. Vault Typhoon and Salt Typhoon have been eye opening experiences. This is something that we no longer have to confirm or deny they're doing it for us. They're demonstrating the capabilities to do these things. And I think what is more and more interesting, when you start getting to some of the philosophical military philosophy of, let's say, the Chinese military organization, the targeting of our critical infrastructure is a key first indicator, first movement advantage of them. So this is not them being in our infrastructure because it's an interesting intelligence problem they're trying to solve. This is pre positioning to degrade certain functionality of what we do over here. Prior to, you know, let's say, you know, a move on Taiwan. But we all see it now. We're all witnessing it. My concern is we're not moving fast enough.

Christopher Cleary (14:41)

Why do you say that? What are the shortcomings here?

Dave Bittner (14:44)

Well, it is clear what let's say in this instance China is doing again, Vault and Salt Typhoon. So there's no questioning the capabilities of certain adversaries to do certain things in our infrastructure. There's also no shortage of companies that have come up with technologies to solve this problem. There's plenty of those out there. The question that I've always had is how have those two things still not seemed to come together?

Christopher Cleary (15:09)

So are we waiting for the problem? I hate to say, you know, that old chestnut of cyber 9 11, but is that what it's going to take?

Dave Bittner (15:20)

That is the thing I'm struggling with. So the cyber 911 is something we talk a lot of. I don't know if we're actually going to see that in the way that we think we're going to see it, because we've seen other things that I would argue culminate to that. Solar winds, Colonial Pipeline, the North Korean attack on Sony, there's several, again, Salt and Vault Typhoon that have happened just recently. Now, the problem is, with the exception of what we saw at Sony, those other things I would argue are using the word attack incorrectly. I'm a classically trained military officer, enlisted in the Navy, went to the Naval Academy, went to the Naval War College. When the military uses the word attack, it has a very, very specific definition. Definitionally, it's something that is with the intent to injure or kill personnel or damage or destroy equipment. That is an attack. Everything shy of that can be stuff that we're not happy about, but it doesn't quantify to the category of an attack. When we call every cyber incident an attack, then the ones that are really, really bad are called an attack, and the ones that are not so bad are called an attack. And they all begin to blend together and they all Begin to lose meaning. Because I would argue if we save the word attack for things that met a very specific definition, it would then call into question how we are going to respond to these things. So you doing a firewall scan, an event, somebody might call that an attack? Well, I would disagree. That wasn't done with the intent to damage or destroy equipment. Even if you steal something, well, that's a criminal activity. It might even be associated with espionage. But was it an attack? I would say no. Now Sony, on the other hand, the North Koreans intentionally had the intentions to damage and destroy equipment that was arguably a U.S. company or some affiliates in the U.S. i know it's owned by parent in Japan, but the point is it was done with the intent to damage or destroy information. To me that's an attack. By its definition, it's an attack and we should have had a way to respond to that and that we miss that opportunity in my opinion, to respond in a way that we could have. The Department of Defense needs information technology to support those missions. Yes, we need computers to send email and we need command and control systems to push data. But now this is also a domain in which we're going to conduct warfare. They are looking for means and methods to deliver effects in the domain that are not necessarily kinetic in nature. What makes this space really interesting in the near term, almost every major weapons system that we're acquiring right now is over budget, behind schedule and suffers from major supply chain and workforce shortages. The ability to move over to the non kinetic space. And when I say cyber, I'm really talking about electronic warfare, information operations, space, AI, machine learning. All of that is sort of, I'm just using cyber as sort of the blanket term which is referencing all things fundamentally non kinetic which are relatively inexpensive to acquire compared to let's say a Ford class aircraft carrier, relatively quick to market and relatively unconstrained by range. And I think when you look at companies like Mantech that are trying to push this narrative, it's really about, hey, the way that we see warfare today really lives in the world of the kinetic mind. Drones have been introduced into the space autonomous systems, systems that are cheaper, attritable, that is we don't care if we lose them and easy to sort of maintain. That's the drone world. Well outside of that, the next one is well, leveraging non kinetic effects to go after command and control systems and targeting systems and satellite systems and infrastructure that moves trains around or moves water around or keeps electricity flowing. All of those are target sets and all of those can be engaged theoretically through the non kinetic spectrum at a much reduced cost.

Christopher Cleary (19:05)

It's my perception that from the government's point of view there is an intentionality in not drawing bright lines when it comes to cyber. And when you combine that with the private industry's desire to sell cyber to businesses and to the government, so it's in their best interest to make this seem as scary as possible, I think you get an interesting tension there.

Dave Bittner (19:39)

So what you're sort of hinting at is another really hotly debated topic with inside the cyber community. Should we have a Cyber Force? Should CyberCom and NSA be separated? I have my opinions. A lot of them are predicated around things like force generation. Cybercom can have enhanced budget control, but cybercom can't force the Navy to produce more cyber war for engineers. So that, that is one of the problems. That would be one of my arguments for a cyber service, but I'm only like 51% in favor of that. And it's all around force generation. I know all the other problems that would be caused by a cyber service. But to get back to the other point of your question, what's interesting about that is I had a general that I was, I'm very, very fond of when we were having a conversation very similar like this and I was, you know, advocating for offensive cyber. And you know, he's bringing to the attention the vulnerabilities that we have. And he says, Chris, when you're covered in gasoline, you're, you don't wanna have a match fight. And I said, okay, I get that, but you're saying I am covered in gasoline. If I don't have a match, they won't have a match. So they're certainly gonna throw a match at me because I'm covered in gasoline. So the point is our vulnerabilities that we have in all of our systems I think are one of the reasons why we didn't necessarily wanna poke the bear. Right? I don't wanna necessarily have a cyber on cyber fight because maybe I have much more to lose because our adversaries are for the most part unconstrained in the way they would think about targeting us, whether population or infrastructure or critical infrastructure. And we are more constrained where we would only want to leverage, let's say cyber capabilities to engage, let's say military war fighting capacity of our adversaries. I think that's one of the things. And then you get into this idea of the difference between tools and weapons. Google and Microsoft are never going to get into the cyber weapons game. But they certainly provide an environment that is an attractive target to our adversaries. The Department of Defense runs on Windows. I mean, that's just a fact. And there's some weapons systems that run on Windows. Just a fact, commercially provided. And our adversaries know that. And they work on means and methods to figure out how to deliver effects against that environment. For instance, infrastructure's a really good topic to talk about because, you know, if I find an adversary in my water treatment plant, there's nothing there that's inherently an intelligence value to them. You know, there's no piece of equipment in that plant that they couldn't go out and buy commercially. Hell, you could probably ask the company that made that plant to come into your country and build the exact same thing there.

Christopher Cleary (22:07)

Right.

Dave Bittner (22:08)

So there's really no, you know, all that stuff's publicly available.

Christopher Cleary (22:10)

Yeah.

Dave Bittner (22:11)

So the only reason you're there is potentially want to impact the operations of that water treatment plant at a time and place of your choosing. Now, there are some cyber norms that were put out by, you know, there's a group in Estonia that put cyber norms and infrastructure is one of these things. They would consider a cyber norm like thou shall not engage critical infrastructure of another country because of the impact it would have to the civilian population. But when you really become sort of a student of the art of warfare or the laws of armed conflict. Well, if I have a bridge, and that bridge supports commerce, but for two towns on either side, it's not a military target until there's a tank on it. If a tank is crossing that bridge, it's a legitimate military target for those reasons. And I think what you're saying is there's a lot of industry in the United States that is not only of interest to our adversaries, to maybe gain some inherent intelligence value from it. Sure. Steal intellectual property, all that other stuff. But then there's a lot of things that are here that are legitimate military targets because of the way those things support military activities. Baltimore Gas and Electric is a legitimate military target because it provides something like 80% of the electricity to the National Security Agency, which is a military target. Right. So the things supporting it, the second and third order things, are in themselves defined as legitimate military targets. Now, if Baltimore Gas and Electric did not support electricity to a military war fighting capacity, then you'd say, well, no, that's not in bounds. You just made a lot of people unhappy. You could argue a lot of the things the Soviets are targeting in Ukraine are just to make the population over there. Miserable. I'm bombing a power plant because I want the power to go off in a city. And that power doesn't necessarily support military activity.

Christopher Cleary (23:56)

Or a hospital.

Dave Bittner (23:57)

Or a hospital. Right. Those are out of bounds. And now the real question comes in is how do these companies really protect themselves? Because there's only so much I would expect a company to do. If you find yourselves in the crosshairs of a well resourced, dedicated, sophisticated adversary like China, I wouldn't expect Baltimore Gas and Electric to fully be able to protect itself. There's some things they should be doing. Of course, there's best practices. There's probably a lot of technology they should be applying to protect and defend. But a company like Baltimore Gas and Electric, I need to be survivable, not necessarily cybersecure.

Christopher Cleary (24:36)

Let's talk about this notion of full spectrum cyber and this idea that offensive cyber expertise informs defensive cyber strategies. Can you unpack that for us?

Dave Bittner (24:49)

Everybody says that offense has the advantage, right? You know, I have to be right once. The defender has to be right all the time. And you're always going to find some kind of little hole. You know, offense is intent. I think when we really start talking about what could be happening in the future, we're really talking about the difference between like our tool and a weapon, right? If. If I'm on your system because I want to break it, it's not the same. Because I'm on your system because I want to steal the information. Now, stealing the information mostly we see through intellectual property or just good old intelligence collection. But when we start talking about offense informs defense, I think we are pretty mature as a community. Whether it's people in uniform or people out of uniform, there's lots of people that have demonstrated proficiency, whether it's companies or organizations or communities to do those things. What you find is most cyber is in the mind. It's the person that knows how to sort of operate in and through an environment, leveraging whatever technology they have access to. There's a lot of things that script kiddies can use now. So there are tools that make it easier, but your real professionals are the ones that still live in the command line and know how to operate on demand or operate on the fly. The trick is, when you look at equipping, let's say cyber forces in the DoD is how do I begin to present capability in such a way that the lowest common denominator cyber operator can be presented something and still have the ability to be effective in the area that you've asked them to Be I think you see variances in capability when you look at the cyber community, whether people in uniform, out of uniform or working with industry building offense and defense capability to support all the above.

Christopher Cleary (26:30)

So in your estimation, what is the role that that industry plays here, helping government agencies improve their cyber posture?

Dave Bittner (26:41)

I guess it's kind of mission dependent. Right. So I'm going to speak for Mantec specifically. We are a national security company, so when we look at the things that we do, we're principally supporting the Department of Defense or the intelligence community. So the things that we're looking to provide are things that you wouldn't necessarily go to Microsoft or Google or Amazon to get. We're supporting very specific missions, which means we're making capabilities that you're not going to find out there on the public market to put not a too fine point on it. You know, non kinetic capabilities designed to deny, degrade, destroy, disrupt or collect intelligence, you know, or support the survivability of things that we need to go beyond cybersecurity and move into cyber survivability. Like there's lots of companies that are going to do the basic cybersecurity stuff just better than us, but we're going to acknowledge that there's people that make really, really good products. When you start moving beyond traditional cybersecurity and moving into cyber survivability and survivor strike or dominance or delivering effects in the community, it's more than a slightly different skill set, but it's also a different intention and where you want to invest resources to enable support DoD specific missions, which again there's a smaller market for us. Operational technology needs to be survivable and our military branches need to be able to deliver effects in this domain that put the hurt on adversary systems, whether it be in weapon systems or infrastructure that goes to support that. I'm not going to go so far as to say critical infrastructure like civilian water and power, but certainly infrastructure in place used to support those systems or the things we're going to be thinking about building capability for.

Christopher Cleary (28:25)

So you're collaborating with the government on the horizon of the possible.

Dave Bittner (28:33)

What makes this world so interesting is the cyber game. The book has not been written yet. If I looked at air warfare or we've seen Top Gun and we've seen Hunt for October, those communities have been around for a long, long time. I think what's interesting in this space is, you know, new fresh talent could be as relevant, if not more relevant on day one because of, you know, the idea of them being digital natives. You know, a lot of the senior military people are arguably still struggling with what this thing called cyber is. When you know, the new cadre of digital natives graduating school who know Twitter and X and you know all, I can't even keep up with my own kids. You know, apps, I wish I and I do this for a living, right? They're just more comfortable in this environment. And I think those are the ones that are really going to turn this domain into what it's destined to be. So when I talk to a lot of new people coming into the world, one of my sayings I would go to them is, look, I know I don't know what you know and I know I know that. My point is I know and I'm just gonna push the believe button that I'm probably never even gonna understand what you're trying to tell me. Even though I don't understand it doesn't mean I'm not gonna approve it or endorse it or support it or champion it, because I believe you are the future, even if I can't understand the ones and zeros of how you're getting there. The irony is a lot of the debates we're having as a military over these new technologies. If you started reading books of the late 1800s, early 1900s, talking about the submarine or the airplane, all these debates are exactly the same. We had all of these debates 100 and some odd years ago. And the irony is 100 years later, we're having them again. We just insert cyber for submarine and AI for airplane. They're all the same.

Christopher Cleary (30:23)

Well, Chris, thank you so much for taking the time for us today and sharing your expertise.

Dave Bittner (30:27)

Yeah, thank you so much. I really enjoyed being here.

Christopher Cleary (30:30)

That's Christopher Cleary, VP of Global Cyber Practice at Mantech. What's the common denominator in security incidents? Escalations and lateral movement. When a privileged account is compromised, attackers can seize control of critical assets with bad directory hygiene and years of technical debt. Identity attack paths are easy targets for threat actors to exploit or but hard for defenders to detect. This poses risk in active directory, entra ID and hybrid configurations. Identity leaders are reducing such risks. With attack path management. You can learn how attack path management is connecting identity and security teams while reducing risk. With Bloodhound Enterprise powered by Spectrops. Head to Spectrops IO today to learn more. Spectrops see your attack paths the way adversaries do. And finally, Coinbase is offering a 20 million dollar bounty. But not for lost treasure. The crypto giant is hunting the modern day pirate who tried to extort the company using stolen customer data. The would be blackmailer emailed Coinbase demanding $20 million or else they'd leak user info. Coinbase's response? A firm no, followed by a blog post worthy of a cyber thriller. According to Coinbase, the breach stemmed from a small group of overseas customer support agents, reportedly in India, who were persuaded by cash offers to leak data affecting fewer than 100,000 users. The company fired the insiders and is now prepping for remediation costs between $180 million and $400 million because apparently loose lips really do sink crypto ships. While no funds or login credentials were stolen, customer info like emails, masked Social Security numbers and transaction histories were. Coinbase urges users to beware of imposters and phishing scams or promising reimbursement to any victims duped by the fallout. The moral of the story if you plan to extort a crypto giant, don't forget that karma is also decentralized. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com be sure to check out this weekend's Research Saturday and my conversation with Max Gannon from Cofence Intelligence. The research is titled the Rise of Precision Validated Credential Theft A New Challenge for Defenders. That's Research Saturday. Check it out. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. Were mixed by Trey Hester with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here next week. Worried about cyber Attacks? Cyber Care from Storm Guidance is a comprehensive cyber incident response and resilience service that helps you stay prepared and protected. A unique onboarding process integrates your team with industry leading experts so if an incident occurs, your response is optimal. Get priority access to deeply experienced responders, digital investigators, legal and crisis PR experts, ransom negotiators, trauma counselors and much more. The best part? 100% of unused response time can be repurposed for a range of proactive resilience activities. Find out more at Cyber Care cyberwire.